PT-2026-3858 · Arduino · Arduinocore-Avr
Published
2025-01-01
·
Updated
2026-01-21
·
CVE-2025-69209
CVSS v4.0
6.9
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ArduinoCore-avr versions prior to 1.8.7
Description
ArduinoCore-avr, which contains the source code and configuration files of the Arduino AVR Boards platform, is affected by a stack-based buffer overflow. This occurs when converting floating-point values to strings with high precision. Passing large
decimalPlaces values to the affected String constructors or concat methods causes the dtostrf function to write beyond fixed-size stack buffers, leading to memory corruption and denial of service. Under certain conditions, this could potentially allow for arbitrary code execution on AVR-based Arduino boards.Recommendations
Versions prior to 1.8.7 should be updated to version 1.8.7 or later.
Exploit
Fix
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Arduinocore-Avr